I am a better Security Pr​o because I am an Investor & I am a better Investor Because I am a Security Pro

I am a better Security Pr​o because I am an Investor & I am a better Investor Because I am a Security Pro. - Why investing is important, and why Security Pros are uniquely suited to it

Society of Information Risk Analysts Conference

By Gunnar Peterson

May 7, 2012

Thanks to Jay Jacobs for allowing me to speak on this topic. I am going to take you a little off track but I hope the journey will be worthwhile from personal and professional development standpoint, we will return in due time to infosec topics.

Effective information security and investing require similar skills - risk management is the obvious one but it goes way deeper than that.

First, good investors foster a defensive mindset - they know they are playing a losers game and act accordingly.

Next, investors deal with data ( but only to a point) - investors have great historical data and next to nothing about the future risks - sound familiar?

Last, "Hacking the system" mentality pays off - good investors find obscure features nobody cares to see and figure out how to exploit it.

What I really want to talk about is the shared mindset of successful investors and what infosec can learn from it. I would like to offer my thoughts on this and leave plenty of time for Q&A and open discussion.

Learning about and practicing investing offers security pros concrete benefits - on a personal level protecting money (always welcome), but really we're used to thinking in terms of retirement pensions and this is no longer the case. Most everyone will need to manage their own retirement, start now; finally there is a professional benefit in the sense that once you understand the capital dynamics of certain business decisions that formerly made zero sense become crystal clear with an capital allocation hat on.

Part 1. Why You Should Care

What's one of the most common complaints in infosec? managers, developers, execs don't understand the threats, the state of the vulnerabilities and the assets in play. in short they don't understand the risks they are taking they simply stick with status quo, kicking the can down the road.

However it turns out that in our own lives most infosec people do the exact same thing with their own family balance sheet.

Most of the people in this room are probably not saving enough for their own retirement. there are good reasons for why this is happening, people never learned to save and invest. America's track record on saving is awful. and in the old days investing did not matter so much and so it was not a skill passed down the generational tree. For one thing, people would rely on their company to take care of them, they used to have pensions. Anyone here have a pension they are counting on? Hands? Bueller?

So we cannot rely on pensions, what's next well there is the government and social security, medicare, medicaid and so on, however we saw in 2008 as well as last year in the debt ceiling showdown precisely how little value add the "management" in DC brings to the table to protecting your assets. I am sure we are all somewhere on the priority list but there is a long line of lobbyists and lawyers ahead of us.

It turns out that financial planning has the same problem to solve as infosec, getting people to envision their future self and act accordingly.

The Wall St Journal reported on a set of studies to see if people would turn from spenders to savers if they looked through VR at their older self. What would your older self want you to do? Buy that humungous TV or put some money away for a rainy day?

For some perspective, China's saving rate is close to 50%, while the US hovers close to zero percent. This study showed that people's willingness to save increased when looking at their future selves. Jim Rogers has a great practice on saving - when you think of buying something today, simply multiply its cost by twenty to see how much it will be worth down the road when you are retired. A dinner out is "only" $75, but would you still go out to eat if you figured the cost at $1,500? Warren Buffett pithily sums this up as - do I really need a $300,000 haircut?

A shocking number of professional people have said to me over the years, I know you are into investing but I don't have time and/or interest to do that. Hello? To that I would quote - Deming you may not be interested in the future, but the future is most certainly interested in you. Whenever you decide to allocate a percentage of your income to you 401k, IRA or whatever versus spending versus debt like home and student loans, you already are making these decisions today. The only question is are you making them consciously or are you kicking the can down the road like so many middle managers we all deal with from 9-5 M-F who fob off the hard decisions until a tomorrow (they think) never comes. Hope is not a strategy.

To be clear, when I say I am going to talk about investment, I am not talking about short term trading. When I talk about investing I mean 3-5 year time horizons or more. This context is important because the financial world is filled with short term thinkers where close of business this Friday is considered long term.

In terms of investment strategy, most people save too little and what they save they put into a mutual fund. Again this common practice sets you up for future failure. First consider that 80% of mutual funds underperform the S&P 500 index, and that is before fees. Gains in the stock market are temporary but fees are forever. Charlie Munger said on Saturday if you are reviewing an investment and the fees are too high don't even read the prospectus - run. Fees are a tapeworm that eat your returns (if you are lucky enough to have any in the first place), Paying a Management fee of 2% over 20 years in a mutual fund is identical to paying a 33% upfront load. You would never think about doing the latter, so you should avoid the former. individuals should defend against fees and regularly review the cost structure.

Instead, we're lucky that Jack Bogle at Vanguard [1] in the 1970s invented the low cost index fund to solve precisely this problem for individual investors. If you are like many people I have talked with over the years and don't want to spend time and don't care much about investing, then low cost index funds that allow you to "buy the whole market return" at a very low cost are where you should focus. Still I hope you will stay for the rest of this talk.

Part 2. Defensive Mindset

Now that we've looked at why you should care, let's consider some of the advantages a career in infosec may give you over the general population. Part two of this talk is on the defensive mindset which is of course a requirement on some level for everyone in infosec.

In infosec, we are constantly bombarded by people wanting to ship risky products and we're faced with daily challenges as to what, where and how to both assess the risk and figure out how to protect our companies' assets.

In investment, every single day there is a barrage of information on CNBC and the like of hot new companies that will manage your facebook follower, keep you social media up to date, check you in for your flight and cure cancer all at the same time, now wouldn't you want to pay $500 a share for that?

The question in both cases is not can i believe these claims, but rather must i believe these claims that I am being presented with?

Asking these questions in infosec is why infosec people are not the most popular in their companies. Its reminiscent of what Warren Buffett described what the role of the chairman of the Federal Reserve should be, which is to take away the punch bowl right when the party gets started. Everyone thinks that they can stop dancing right 11:59 pm, but at midnight someone is still dancing and it all goes to pumpkins and mice.

Despite not winning popularity contests, Infosec people should take heart from the great value investor Jean Marie Eveillard. He famously refused to buy tech stocks during the dotcom hey day saying - I would rather lose half my clients than half my client's money.

In infosec, we won't be the most popular across the organization but we're paid to find ways to protect assets not win beauty pageants.

Steven Sears [2] in his great new book The Indomitable Investor says bad investors try to make money, good investors try to think of ways not to lose money.

Like good investors, Infosec people should recognize we're playing a loser's game.

Charley Ellis looked at studies of professional tennis which pointed out that professional tennis is a “winner’s game,” in which the match goes to the player who’s able to hit the most winners: fast-paced, well-placed shots that his opponent can’t return. But the tennis the rest of us play is a “loser’s game,” with the match going to the player who hits the fewest losers. The winner just keeps the ball in play until the loser hits it into the net or off the court. In other words, in amateur tennis, points aren’t won; they’re lost. A loss-avoidance strategy the version of tennis amateurs try to play.

Howard Marks [3] applied this idea it to investments. "on market efficiency and the high cost of trading led him to conclude that the pursuit of winners is unlikely to pay off. Instead, you should try to avoid hitting losers. I found this view of investing absolutely compelling. I can’t remember saying, “Eureka; that’s the approach for me,” but the developments over the last three decades certainly suggest his article was an important source of my inspiration.

Because of his conviction that markets are efficient, Charley recommended passive investing as the best way to end up the winner – let others try the tough shots and fail. Our view is a little different. Although we believe in the existence of inefficient markets as well as efficient ones, we still view the avoidance of losers as a wonderful foundation for investment success. Thus we diversify our portfolios, limit the fundamental risk we’ll take, try to buy things that provide downside protection, and emphasize senior securities. We, too, try to win by not losing."

So the defensive mindset pays off in investing and in infosec. Protect the downside. The question for infosec people is what and where should we defend. our systems are so complex, this question matters a lot.

In infosec a good game to play is if you have a $100 to spend where should you spend it? Unfortunately today, probably $40 goes to firewalls, $30 to antivirus and a chunk of the rest goes to so-called risk assessments that tell you whether or not spending 70% of your budget on legacy technology is a good idea.

If we can focus on efficacy not legacy where should we invest our mythical $100, what should we defend? Lots of people say its threats, threats, and more threats. And they say they give me $120 to do it. These people will always get some funding because they have great stories, and people love stories for the same reason people would pay $300/share for nonsense companies pets.com during the dotcom phase. Dotcom was a great story in 1999 and cyberwar or cybersecurity anything is a great story today, however this does not mean that throwing money at threats is the best use of your time, capital and resources.

We'll always have threats, yes we need to focus on them but not solely; if you have something someone else wants threats are never going to zero. Its better to focus on the thing you have that someone else wants and where you should have a knowledge advantage - your assets.

What matters in investing and what matters in infosec is building margins of safety. Assume failure. This is stark contrast to how the rest of your business operates and its a valuable service that infosec provides when its done constructively.

When we're faced with such complex IT systems and increasingly complicated business structures and supply chains where should infosec people focus their time and energy? And further, what's the main thing to protect? Is it financial or intellectual property or the transactional backbone or the supply chain? It varies on an industry by industry basis, so much in infosec is driven by the financial industry that if a martian visited earth, they would think the entire information security reason for being is to protect credit card numbers.

Certainly, for companies in that industry it is job one, but other companies have vastly different concerns. Financial data is not the sum total of information security. A better way to model this in my view is to look at competitive advantage, so a financial fraud isn't necessarily a game changer for financial institutions because those domains have fraud hard wired into their models. If it gets above a certain level then its a problem. But in the case of events that eat into a firm's long term competitive advantage then its a different story, stealing intellectual property and locking your company out of a market, so you can't sell your products there against a local entity that uses your designs which they stole. For some companies its not financial data or IP as their biggest competitive advantage, though/ There's not a universal model the same way measuring financial fraud isn't applicable to a biotech, there are only domain models.

So in our job infosec to figure out what should we defend? The investment world has some answers for us here.

Buffett says “The key to investing is ..." as an aside, any time one of the world's greatest investors starts out with 'the key to investing is' you really want to hang around for the end of the sentence.

“The key to investing is ..." Buffett says is "determining the competitive advantage of any given company and, above all, the durability of that advantage.”

Probably the best work on this is done by Morningstar[4] which pioneered the concept called moats (patterned on Michael Porter's work on competitive advantage)

5. Efficient Scale: a limited market served by small number of vendors example Lockheed Martin - you only need one nextgen strike fighter supplier

When I teach secure coding to developers, most of the examples we use to say show SQL injection works involve stealing credit cards. So I joke that stealing credit cards is the "Hello World" of computer security, I stole the cards out of the database so now I know how SQL Injection works, but of course this is not the end of the story just like Hello World isn't everything you need to know to write Python.

Businesses that have one of the above types of moats have widely different assets that they require to ensure their moats endure, the old school notion of breach does not pertain directly to most of their competitive advantage, but its more than just IP that's only one type of moat and most businesses don't have IP moats. So the campaigns to be concerned about are the ones targeted at your business' moat and for us to begin to value those that requires at least five different models to analyze across industries.

This is a core lesson - defenders who try to defend everywhere defend nowhere. You have to pick your spots. The two most important things in infosec are Identifying what kind of moat your business has and then defending that moat.

From identifying the oat type the lesson for infosec is clear: Making the moat around the castle wider, deeper and filling it with alligators. Defend the moat.

Be defensive - remember Howard Marks - there are old investors and there are bold investors, but there are no old, bold investors.

Part 3. Dealing with Data

One of the most fun things in life is to steal models out of one knowledge silo and adapt it for use in another. Steal models, but please steal ones that at least work in their own domain, before trying to apply them in infosec.

People in general have a hard time admitting that they don't know something, however this is at least as important as recognizing what you think you know.

Howard Marks calls this the "I know" school versus the "I don't know" school

"One thing each market participant has to decide is whether he (or she) does or does not believe in the ability to see into the future: the “I know” school versus the “I don’t know” school. The ramifications of this decision are enormous.

If you know what lies ahead, you’ll feel free to invest aggressively, to concentrate positions in the assets you think will do best, and to actively time the market, moving in and out of asset classes as your opinion of their prospects waxes and wanes. If you feel the future isn’t knowable, on the other hand, you’ll invest defensively, acting to avoid losses rather than maximize gains, diversifying more thoroughly, and eschewing efforts at adroit timing.

Of course, I feel strongly that the latter course is the right one. I don’t think many people know more than the consensus about the future of economies and markets. I don’t think markets will ever cease to surprise, or thus that they can be timed. And I think avoiding losses is much more important than pursuing major gains if one is to achieve the absolute prerequisite for investment success: survival."

For infosec, the different mindset required for survivability is clear from Howard Lipson's 3 R's of Survivability [5] - Resistance - ability of a system to repel attacks, Recognition - ability to recognize attacks and the extent of the damage, and Recovery - ability to restore essential services during attack, and recover full services after attack

The notion of risk is certainly at heart of this, Pat Dorsey [6] recently wrote an insightful piece on this point, he wrote that risk means different things to different people

"a little bit like discussing the existence of God with a theologian. An academic says risk is volatility--the more an asset bounces around in price, the riskier it is.

A mutual fund manager might say it's career risk. If he lags his benchmark for too long, he gets fired.

An individual might frame it as pain. Of course, we feel losses much more than we value gains. So just seeing your portfolio go down is a lot of risk.

And of course Warren Buffett would just define it as permanent capital impairment--the odds that an asset's value will go down and never recover.

Those are pretty different notions."

In my view, these varying definitions of risk are at the heart of what we saw in 2008. In particular, academic models of risk as volatility were hard wired into trading algorithms, and then further juiced by leverage (up 30x-40x leverage!). The risk as volatility assumption by itself would have just led to dumb trades and losses. But with the extra weight and status of the false precision that academic models can provide, this gave large institutions the courage to lever up 40 to 1 and this turned bad trades into catastrophes and meltdowns. Overconfidence in what one could count and ignoring what one couldn't model.

In the late 1990s, Long Term Capital Management (an early hedge fund) almost blew up the financial system a la 2008 crisis. This fund was run by a small cadre of the smartest people in the business, who had most of their own money in the fund, the staff included two Nobel prize winners (Merton and Scholes) whose work is at the center of modern financial and risk theory, and they went bankrupt very quickly. This is a fascinating story recounted in Roger Lowenstein's "When Genius Failed", and its essential to read it to understand the limitations of models, exactly how the way models are used and the false confidence they create leads to failure. The counterweight to any model is embedding it inside rigid process to enforce sane behavior and limit risk taking.

From Howard Marks in the The Most Important Thing:

"According to the academicians who developed capital market theory, risk equals volatility, because volatility indicates the unreliability of an investment. I take great issue with this definition of risk.

It’s my view that — knowingly or unknowingly — academicians settled on volatility as the proxy for risk as a matter of convenience. They needed a number for their calculations that was objective and could be ascertained historically and extrapolated into the future. Volatility fits the bill, and most of the other types of risk do not. The problem with all of this, however, is that I just don’t think volatility is the risk most investors care about.

There are many kinds of risk. . . . But volatility may be the least relevant of them all. Theory says investors demand more return from investments that are more volatile. But for the market to set the prices for investments such that more volatile investments will appear likely to produce higher returns, there have to be people demanding that relationship, and I haven’t met them yet. I’ve never heard anyone at Oaktree — or anywhere else, for that matter — say, “I won’t buy it, because its price might show big fluctuations,” or “I won’t buy it, because it might have a down quarter.” Thus, it’s hard for me to believe volatility is the risk investors factor in when setting prices and prospective returns.

Rather than volatility, I think people decline to make investments primarily because they’re worried about a loss of capital or an unacceptably low return. To me, “I need more upside potential because I’m afraid I could lose money” makes an awful lot more sense than “I need more upside potential because I’m afraid the price may fluctuate.” No, I’m sure “risk” is — first and foremost — the likelihood of losing money."

In obsessing over volatility and price movements, the Value at Risk and Efficient Market Theory models missed human behavior in markets (driven by fear and greed), the safety of an asset, the liquidity of an asset in the face of certain events, and an overall conservative approach to investing - try to buy dollars for 50 cents, and not lever up 40 to 1 to buy many $100 bills for 99.95 each. This, of course, goes to the heart of risk management - namely building a wide margin of safety as a hedge against your own ignorance, instead overconfidence in flawed models.

Hedging against your ignorance up front (usually by paying a cheap price) means that you have more time and resources to spend on constructing a margin of safety to protect assets and ensure they are there when you need them. It also means you live to play another day. Ill placed confidence in risk models like Value at Risk (VaR) instead of conservative process led people to ignore these virtues. When events began to unwind the dominoes fell quickly because there were no buffers and no foundation just algorithms gone wild running atop a mountain of leverage. As Buffett says you don't know who is swimming naked until the tide goes out.

The Lesson here from Howard Marks is that you can't predict with models but you can prepare by limiting your downside and planning for failure.

Although risk models don't help us much and have only limited utility, fortunately we have checklists.

Checklists are essential for both infosec and investing. Checklists are vital in complex domains where failure is governed not what we don’t know but what we know but don’t apply.

Jean Marie Eveillard said that sometimes what matters is not the probability of something happened but the impact if it did. We all know that attacks in the DMZ are more likely than "inside the firewall", but what about impact? The resources that infosec throws are high probability, but rather low impact attacks on DMZ dwarf the attention given inside the firewall systems. Anyone run unauthenticated web apps on the Internet? But there are many enterprise messaging systems where all you need to know is the address and you have a trail right to the keys to kingdom.

its not that we don't know that authentication is not important. Its not that we don't know that our mainframes, ESBs, and databases are not critical to the businesses, its that we don't apply what we already know.

A checklist is also vital as part of a process to check for failure in behavior and protect against biases and unchecked emotion. Every day there are events that trigger greed, fear, and anxiety radically change people's willingness to take risk. Investors should always have a checklist or more formally an Investment Policy Statement that spells out precisely the purpose of their portfolio, its goals, time horizons, asset class mix, and other factors. The Investment Policy Statement should include a set of "We Will Never.." to check against bad behavior such as use of margin and leverage.

In 2008, the models missed the most important part - safety. Howard Marks describes that a six foot tall person can easily drown in a river that is on average 5 feet deep.

Although, we're limited in what infosec can learn from financial models, I am optimistic that infosec can do better than finance in models, just that we will need to mainly rely on models from other fields like biology, transportation safety and other domains that account better for behavior.

Part 4. Hacking the system - Reverse engineering for fun and profit

In part 2 we talked about the defensive mindset, but this would not be an infosec discussion without looking at the breaker side in addition to the builder side. Wall Street is a rigged game, its rigged against me and you, individual investors. Luckily there are some structural weaknesses that we can exploit if we know where to look.

I would bet a lot of money that I can beat both Garry Kasparov and Michael Jordan in a game. The way I would do this of course is to play Kasparov at basketball and Jordan at chess.

Buffett noticed long ago that Wall Street observed that markets are mostly efficient and immediately leapt to thinking (through lots of Nobel winning mathematics) that they are always efficient. The difference here is night and day and that's the area that individual investors can readily exploit.

The first as I mentioned early on is the importance of time horizon. Looking out three to five years as an individual automatically gives you two big advantages over Wall Street. For one thing you can wait for a thesis play out. You invest money you don't need for three years or more, who cares if it goes down next week. Whereas Wall St shops are just like any other big company - short time horizons, forced closing out of unprofitable trades, long term may be next Friday. The other advantage is efficient taxes. If you are paying 15% long term cap gains you have an immense head start over someone paying 30% even if their before tax return trumps yours.

The long term orientation means that you can buy at the point of maximum pessimism. John Templeton said that "bull markets are born on pessimism, they grow on skepticism, and they die on euphoria."

If you can decouple price and value somewhere around the first two stages is when to buy and stage three when every thinks the future will be perfect forever is when to sell. Again, infosec is no stranger to contrarian behavior and going against the crowd, this trait is very helpful in investing.

The high priests of Efficient Market Hypothesis tell us that assets priced perfectly, reflecting all the available information. The standard retort to this is about two Wall St economists walking down the street, one spots a $20 bill on the ground the other says don't bother stopping to pick it up, if it was real someone else already would have.

The market overreacts on the upside and the downside, finding these opportunities is the job of the investor.

To demonstrate the myth of EMH in action, we do not need to go back any further in time than this past Friday. Let's consider the (not so) curious case of Arcos Dorados

Arcos Dorados has the license to operate McDonalds' in Latin America. McDonald's stock has done quite well over the years and emerging markets is one of the major investing trends of the decade. The franchise is solid with plenty of room to grow.

The US has 14,000 McDonald's for 300M people vs Latam/Arcos 1,800 McDonald's for 500M people, Arcos just opened 86 restaurants in the last 12 months so this is pretty nice combination. They even pay a dividend approaching ~1.4% with plenty of room to grow. The market average is ~1.8% so for a startup with a ton of runway ahead of it, and dividends matter way more than people think

If you were an Arcos Dorados investor on Thursday night this is what you were buying: a solid franchise, great management team, in region with lots of room to grow. What happened on Friday? All hell broke loose. Why? Arcos reported quarterly earnings that included net income rose 9% (not bad), same store sales rose (good), they opened 86 new restaurants (know anyone doing this in the US? or eu for that matter?), and oh and they chose to do some accounting the Brazilian real not the dollar. And the real hit a low on the exchange rate versus the dollar. That shaved $600 Million of their market cap (22%) in the time it takes you to eat a Big Mac. While this was certainly fast, was this "efficient"? On Thursday night you went to bed thinking that the solid franchise and management team were important. The Latam region is important for global diversification and yet one of the reasons for the dramatic one day move had zero to do with business fundamentals, it was a currency reaction.

Who knows if Arcos will be a good or a bad investment, only time will tell. May be kids in Latin America will prove to hate French fries, but one thing seems sure a 22% move in one day over a currency issue is not tied to the value proposition of hamburgers and fries. Things like fluctuations in Real are short term noise in my view but its noise that individuals can exploit.

Just as we do vulnerability assessments in infosec, as the pentesters say we don't break standards we break implementations, individuals should look beyond Wall Street theory and find Wall Street blindspots, biases, and structural weaknesses and use them to your advantage.

I'd like to thank Ivan Arce for suggesting the idea for section 4, and thank you all for your time.